Electron Security Model — Vocabulary & Concepts Quiz
Modern Electron development requires a strong understanding of context isolation, the contextBridge API, and secure IPC patterns. Test your knowledge of Electron's layered security model.
0 / 5 completed
1 / 5
What does context isolation in Electron prevent?
Context isolation runs the preload script and the renderer page in separate JavaScript contexts (V8 contexts). Even though they share the same DOM, the renderer page cannot access Node.js or Electron objects through prototype chain manipulation — preventing a compromised page from escalating to system-level access via the preload's privileged context.
2 / 5
What is the role of a preload script in Electron's security model?
Preload scripts execute before the renderer's web page loads, with access to Node.js APIs and Electron's renderer-side APIs. By using contextBridge.exposeInMainWorld(), they selectively expose safe, narrowly-scoped APIs to the renderer — following the principle of least privilege rather than enabling nodeIntegration: true.
3 / 5
What is contextBridge.exposeInMainWorld used for?
contextBridge.exposeInMainWorld(name, api) creates a safe bridge between the preload's Node.js context and the renderer's sandboxed context. The exposed API appears as window.name in the renderer but any functions inside are bound to the preload context — preventing the renderer from accessing anything beyond what was explicitly exposed.
4 / 5
In Electron's IPC model, what is the difference between ipcRenderer.send and ipcRenderer.invoke?
ipcRenderer.send sends a message to the main process with no built-in mechanism to receive a response — you'd need to set up a separate listener. ipcRenderer.invoke uses a request-response pattern, returning a Promise that resolves when the main process's corresponding ipcMain.handle handler returns a value.
5 / 5
What does Electron's V8 sandbox option add to the renderer process security model?
Electron's process sandbox (enabled via sandbox: true) restricts the renderer process at the OS level using the same sandboxing Chromium uses for browser tabs. A sandboxed renderer cannot make direct system calls — any OS interaction must go through the main process via IPC. Combined with context isolation, this provides defence-in-depth against renderer exploits.